SAP issued an update to correct an ActiveX flaw that plagues its graphical user interface (GUI). The flaw could be exploited by an attacker to gain access to sensitive data.
The SAP interface is used in the software vendor's enterprise resource planning applications.
The flaw was discovered by Carsten Eiram, a researcher with Danish vulnerability clearinghouse Secunia. In the Secunia advisory, Eiram said an error in the TabOne ActiveX control could be remotely exploited to cause a heap-based buffer overflow by adding multiple tabs. Secunia gave the flaw a highly critical rating.
"Successful exploitation may allow execution of arbitrary code," Secunia said.
SAP issued an update correcting the flaw. Version 7.10 sets the kill-bit for the ActiveX control.
The Waldorf, Germany-based software vendor has corrected a number of ActiveX flaws in the past. SAP issued an update to its GUI in November, correcting an ActiveX flaw that could crash Internet Explorer if an attacker passed malicious code.